LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 07-25-2005, 03:32 AM   #1
lowpro2k3
Member
 
Registered: Oct 2003
Location: Canada
Distribution: Slackware
Posts: 340

Rep: Reputation: 30
How to verify downloaded kernel integrity (with *.sign files?)


Lets say I go to kernel.org and download the latest kernel and the .sign file that accompanies the release:

Code:
$ ls -l
-rw-------   1 root root   46713120   linux-2.6.12.3.tar.gz
-rw-------   1 root root        248   linux-2.6.12.3.tar.gz.sign
How do I verify the checksum to ensure that the downloaded kernel matches the *.sign file? I have 'gpg' and the md5 tools installed on my system.
 
Old 07-25-2005, 08:49 AM   #2
demian
Member
 
Registered: Apr 2001
Location: Bremen, Germany
Distribution: Debian
Posts: 303

Rep: Reputation: 30
Import the kernel.org public key

gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E

Verify the sig:

gpg --verify linux-2.6.12.3.tar.gz.sign linux-2.6.12.3.tar.gz
 
Old 07-25-2005, 02:06 PM   #3
lowpro2k3
Member
 
Registered: Oct 2003
Location: Canada
Distribution: Slackware
Posts: 340

Original Poster
Rep: Reputation: 30
I didn't have any luck downloading the public key:

Code:
$ gpg --keyserver ....
gpg: Can't get keys from keyserver: Success
gpg: Total number processed: 0
 
Old 07-25-2005, 02:34 PM   #4
demian
Member
 
Registered: Apr 2001
Location: Bremen, Germany
Distribution: Debian
Posts: 303

Rep: Reputation: 30
*shrugs* Works for me:

demian@luna:~ $ gpg --keyserver wwwkeys.pgp.net --recv-keys 0x517D0F0E
gpg: key 517D0F0E: public key "Linux Kernel Archives Verification Key <ftpadmin@kernel.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
demian@luna:~ $

Alternative: Go here
http://wwwkeys.pgp.net:11371/pks/loo...rch=0x517D0F0E

Copy and paste the key into a file, say, kernel.key. Then import it using

gpg --import kernel.key
 
Old 07-25-2005, 06:31 PM   #5
lowpro2k3
Member
 
Registered: Oct 2003
Location: Canada
Distribution: Slackware
Posts: 340

Original Poster
Rep: Reputation: 30
OK thanks, I tried again and still got the same error so I went to the website and copied/pasted the public key, and imported it using gpg. I know I have to 'gpg --verify ... ' now, but I can't figure out the command to use the stored key as the argument (instead of a filename...).

Thanks for your help


Code:
$ gpg --list-keys
/root/.gnupg/pubring.gpg
--------------------------------
pub   1024D/517D0F0E  2000-10-10  Linux Kernel Archives Verification Key <ftpadmin@kernel.org>
sub   4086G/E50A8F2A  2000-10-10

Last edited by lowpro2k3; 07-25-2005 at 06:34 PM.
 
Old 07-26-2005, 09:25 AM   #6
demian
Member
 
Registered: Apr 2001
Location: Bremen, Germany
Distribution: Debian
Posts: 303

Rep: Reputation: 30
Quote:
Originally posted by lowpro2k3
I know I have to 'gpg --verify ... ' now, but I can't figure out the command to use the stored key as the argument (instead of a filename...).
You use the command from my first post. The argument is the signature and the file to verify, not the public key.
 
Old 06-27-2011, 07:23 PM   #7
entz
Member
 
Registered: Mar 2007
Location: Milky Way , Planet Earth!
Distribution: Opensuse
Posts: 453
Blog Entries: 3

Rep: Reputation: 40
Well Hi,

i've a related question that already goes down this thread....

how about verifying the public key itself and making sure that whatever has been imported does indeed originate from the linux kernel archive and is not some forged man-in-the-middle key ?

i know , i sound paranoid , but i'm curious to know , btw i've read about this in theory (CA and web of trust) but don't know how to make practical use of such things ..etc

cheers
 
Old 06-28-2011, 01:49 PM   #8
berbae
Member
 
Registered: Jul 2005
Location: France
Distribution: Arch Linux
Posts: 540

Rep: Reputation: Disabled
It surely is not easy to be sured, but one way is to contact somebody of the kernel development team and ask him/her to tell you the fingerprint of the public key, either by phone or a real mail by post services, or by some other secure way.
You can also verify the key by the fingerprint with someone who has done the verification already.

But you have also to be sure that the person is really the one you think s/he is!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to verify downloaded iso's ashwin_cse Fedora 1 06-27-2005 09:23 PM
How to verify downloaded files with MD5 file? ICO Linux - General 3 03-15-2004 11:28 PM
creation Temporary files with ~ sign?? kushalkoolwal Linux - Newbie 1 03-10-2004 01:21 PM
re: verifying integrity of downloaded rh9 rpms ergo_sum Linux - Newbie 2 12-19-2003 12:34 PM
backup/verify files with tar hokri Linux - General 0 11-27-2001 06:05 AM


All times are GMT -5. The time now is 07:57 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration